This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BitLocker can't be enabled by Sophos after had been activated manually

I have a Dell XPS 15 9570 laptop that a user had manually activated BitLocker before we applied Sophos Device Encryption. I turned off encryption with the BL key he had saved, and then tried to apply Sophos encryption - got error that BL could not be enabled. I looked in TPM.msc, all looked fine, used it to clear the TPM. Still no joy with Sophos. Then I went into BIOS and cleared TPM from there several times. I also tried disabling, reboot, then enabling TPM from BIOS.

We have many of these machines doing just fine with Sophos encryption, but they had never been manually BitLocked. My Sophos Endpoint is up to date, Device Encryption 2.1.217. PC running Win 10, 21H1, all Dell drivers are up to date. If I go direct to BitLocker, it allows me to start the process to turn it on and wants me to set up a new key, so it seems the TPM is cleared.

Any ideas on how to make it like the TPM had never been used?







This thread was automatically locked due to age.
  • Hi Mitch,

    Thank you for reaching us, Is it managed via Sophos central device encryption or via Sophos safeguard? Can you perform the below steps and let us know the status,

    • Disable BitLocker with the following command: manage-bde -protectors -disable c:
    • Reboot the computer
    • Enable BitLocker again with the following command: manage-bde -protectors -enable c:

    Ensure to run this command via elevated command prompt access. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Glenn -

    We're using Sophos Central device encryption. That was very helpful, but I had to tweak the method. After doing steps 1-3, I got the same message:

    BitLocker could not be enabled.
    The BitLocker encryption key cannot be obtained. Verify that the Trusted Platform Module (TPM) is enabled and ownership has been taken. If this computer does not have a TPM, verify that the USB drive is inserted and available.
    C: was not encrypted.

    I tried several combinations of disabling and re-enabling BitLocker. I also re-installed Sophos. In the end, what worked was simply disabling BitLocker and rebooting. I think the reason the error is coming up is because BitLocker *IS* enabled and Sophos can't enable it -- possibly a bug in software to check for that status. I don't know at what stage Sophos gets the key from BitLocker, perhaps it is at enablement.

    So for anyone else dealing with this, I'd try using the DISABLE command "manage-bde -protectors -disable c:", reboot, and give Sophos Central time to attempt the encryption.

    Again, thanks for your help!

    
    
    
    
  • Thank you Mitch for your confirmation and for sharing the steps you've applied to fix and solve the issue that you're getting. Slight smile

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids